// For flags

CVE-2024-26883

bpf: Fix stackmap overflow check on 32-bit arches

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stackmap overflow check on 32-bit arches

The stackmap code relies on roundup_pow_of_two() to compute the number
of hash buckets, and contains an overflow check by checking if the
resulting value is 0. However, on 32-bit arches, the roundup code itself
can overflow by doing a 32-bit left-shift of an unsigned long value,
which is undefined behaviour, so it is not guaranteed to truncate
neatly. This was triggered by syzbot on the DEVMAP_HASH type, which
contains the same check, copied from the hashtab code.

The commit in the fixes tag actually attempted to fix this, but the fix
did not account for the UB, so the fix only works on CPUs where an
overflow does result in a neat truncation to zero, which is not
guaranteed. Checking the value before rounding does not have this
problem.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: bpf: corrige la verificación de desbordamiento del mapa de pila en arcos de 32 bits. El código del mapa de pila se basa en roundup_pow_of_two() para calcular el número de depósitos de hash y contiene una verificación de desbordamiento verificando si el valor resultante es 0. Sin embargo, en arcos de 32 bits, el código de resumen en sí puede desbordarse al realizar un desplazamiento hacia la izquierda de 32 bits de un valor largo sin signo, lo cual es un comportamiento indefinido, por lo que no se garantiza que se trunque claramente. Esto fue activado por syzbot en el tipo DEVMAP_HASH, que contiene la misma verificación, copiada del código hashtab. La confirmación en la etiqueta de correcciones en realidad intentó solucionar este problema, pero la corrección no tuvo en cuenta la UB, por lo que la corrección solo funciona en CPU donde un desbordamiento resulta en un truncamiento claro a cero, lo cual no está garantizado. Verificar el valor antes de redondear no tiene este problema.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-02-19 CVE Reserved
  • 2024-04-17 CVE Published
  • 2024-04-30 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (17)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.19.177 < 4.19.311
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.177 < 4.19.311"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.4.99 < 5.4.273
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.99 < 5.4.273"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.10.17 < 5.10.214
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.17 < 5.10.214"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.11 < 5.15.153
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.153"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.11 < 6.1.83
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.1.83"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.11 < 6.6.23
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.6.23"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.11 < 6.7.11
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.7.11"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.11 < 6.8.2
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.8.2"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 5.11 < 6.9
Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.9"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.9.258
Search vendor "Linux" for product "Linux Kernel" and version "4.9.258"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
4.14.222
Search vendor "Linux" for product "Linux Kernel" and version "4.14.222"
en
Affected